Resources for site owners

How can I return Certificate Transparency information in my server response?

The Certificate Transparency RFC states that all TLS clients must support the following three mechanisms for including the SCT in the TLS handshake:

X509v3 Extension

TLS Extension

OCSP Stapling

As such servers can use any one of these mechanisms to return Certificate Transparency information to clients.

If your CA is already issuing certificates with embedded SCTs (via theX509v3 Extension) this may be an easy way to get started, simply deploy a new certificate issued with embedded SCTs and no changes should be required.

We do however still recommend use of either OCSP Stapling (if your CA supports it, and your CA supports including SCTs in the OCSP response) and/or the TLS Extension as both of these mechanisms allow for SCTs from new logs to be added/substituted over time without the need for you to reissue your certificates.

At this time we are aware of support for the TLS extension in the following web servers: